To fetch Duo Security logs, you first must do the following configurations in Duo and obtain Client ID, Client secret, and API hostname:
Go to the Duo login page and enter your credentials to access your account.
Click Applications and Protect an Application.
Find Web SDK and click Protect.
Protect an Application¶
You can view your Client ID, Client Secret, and API Hostname under Details.
Details¶
Duo Security consists of the log source template DuoSecurityFetcher which has pre-defined settings and configurations to fetch Duo Security logs.
To configure:
Go to Settings >> Log Sources from the navigation bar and click Add Log Source.
From the list of templates, select DuoSecurityFetcher.
In source, you can add details about Duo Security from where DuoSecurity fetches logs.
Click Source.
Enter the Log Source’s Name.
Enter the Duo Security Base URL.
Enter the Request Timeout (secs) for the API request.
In Retry After (secs), enter the time to wait after an error or timeout.
Select the frequency at which data is retrieved in Fetch Interval (min) and select Charset.
Select a Timezone. The timezone must be same as of Duo Security.
Configuring Source¶
Connector is a pathway for transmitting logs from Duo Security to Logpoint. In connector, you can configure how the Duo Security Fetcher and Duo Security communicate with each other.
Click Connector.
In Custom Params,
2.1. Enter the Duo Security integration key in ikey Value.
2.2. Enter the Duo Security secret key in skey Value.
2.3. Enter the Duo Security API hostname in host Value.
In Custom headers, enter Key and Value.
Enable Enforce HTTPS certificate verification to enable a secure connection.
Enable Proxy to use a proxy server.
5.1. Select either HTTP or HTTPS protocol.
5.2. Enter the proxy server IP address and the PORT number.
Configuring Connector¶
In endpoints, configure details about the Duo Authentication logs.
Click Endpoints and + Add Row.
Enter the endpoint’s Name.
Select the request Method to call the endpoint.
3.1. If you select POST, enter the Post request body in JSON format. If your POST request body consists of an incremental value and the value is a date, then the value of values must be [{{Start}}].
Enter the Endpoint part of the previously added Base URL.
Enter a Description for the endpoint.
In Headers, click + Add Row. Enter the custom header’s Key and its Value. They are sent in request headers. The request parameters cannot be log filtering fields, such as start_date or end_date.
In Query Parameters, click + Add Row. Enter the request parameter’s Key and Value.
For example, if you are using the Data query filter, such as /api/alerts?$filter=(severity eq ‘High’) or (severity eq ‘Medium’), you must enter $filter as Key and (severity eq ‘High’) or (severity eq ‘Medium’) as Value.
Query Parameters are sent in the request URL.
Important
If you need to provide the starting or end point of the log fetch, then they must be specified in either the Query parameters or Post request body. They must also be specified using Jinja template keywords, such as {{Start}} or {{End}}.
For example:
Post request body
{“filters:
[
{
“fieldName”:”StartTimestamp”,
“operator”: “equals”,
“values”: {{Start}}
},
{
“fieldName”:”EndTimestamp”,
“operator”: “equals”,
“values”: {{End}} }
] }
Here, the field name StartTimestamp indicates the starting point of fetch, and EndTimestamp indicates the end point of fetch. These values are incremented dynamically in subsequent fetch attempts.
Query Parameters
StartTimestamp -> {{start}}
EndTimestamp -> {{end}}
In Increment Value / Check Sum, enter the increment field from the response of the API.
For example, if the increment field is event_date and it is inside Events, then enter Events.event_date. The field is saved in CheckSum, a database that uses the field to record until data is fetched. This ensures there is no log duplication as DuoSecurity Fetcher checks the CheckSum every time before fetching any new data.
Enter the Response key, which is an identifier to locate and parse logs within an API response.
Enter a Custom Date Format for API response.
In Logs Filtering Parameters, select the parameters to filter the incoming logs.
11.1. Select a Data format.
11.1.1. Select ISO Date to represent data using the International Standards Organization (ISO) format of “yyyy-MM-dd”. Example: 2017-06-10. If you select ISO Date, then its value must be in the string format in the Post request body.
11.1.2. Select UNIX Epoch to represent data using the UNIX epoch time format. It is a system for measuring time as the number of seconds that have elapsed since January 1, 1970, at 00:00:00 UTC (Coordinated Universal Time). Example: 1672475384.
11.1.3. Select UNIX Epoch (ms) to represent data using the UNIX epoch time format with milliseconds precision. It is a system for measuring time as the number of milliseconds that have elapsed since January 1, 1970, at 00:00:00 UTC (Coordinated Universal Time). Example:1672475384000.
11.1.4. Select Custom Format to define your format for representing the data. The custom format can be created using Date/Time patterns.
11.1.5. Select Unique ID to represent data using a unique ID. Its value must be in the number format in the Post request body.
11.2. Select an Initial Fetch date. Logs are fetched for the first time from this date.
In Pagination Key, enter the location of the following page URL from the response if the API supports pagination.
For example, if the data from the Duo Security API looks like the following, the pagination key is meta.next.
{ "meta": { "next": "https://api.duosecurity.com/admin/v1/logs/authentication?offset=2&limit=2" } }
Click Save Changes.
Configuring Endpoint¶
To edit the endpoint configuration, click the (
) icon under Action and click Edit. Make the necessary changes and click Save Changes.
To delete the endpoint configuration, click the () icon under Action and click Delete.
In routing, you can create repos and routing criteria for DuoSecurity Fetcher. Repos are locations where incoming logs are stored and routing criteria is created to determine the conditions under which these logs are sent to repos.
To create a repo:
Click Routing and + Create Repo.
Enter a Repo name.
In Path, enter the location to store incoming logs.
In Retention (Days), enter the number of days logs are kept in a repository before they are automatically deleted.
In Availability, select the Remote logpoint and Retention (Days).
Creating a Repo¶
Click Create Repo.
In Repo, select the created repo to store Duo Security logs.
To create Routing Criteria:
Click + Add row.
Enter a Key and Value. The routing criteria is only applied to those logs which have this key value pair.
Select an Operation for logs that have this key value pair.
3.1. Select Store raw message to store both the incoming and the normalized logs in the selected repo.
3.2. Select Discard raw message to discard the incoming logs and store the normalized ones.
3.3. Select Discard entire event to discard both the incoming and the normalized logs.
In Repository, select a repo to store logs.
Creating a Routing Criteria¶
Click the (
) icon under Action to delete the created routing criteria.
In normalization, you can select normalizers for the incoming logs. Normalizers transform incoming logs into a standardized format for consistent and efficient analysis.
Click Normalization.
You can either select a previously created normalization policy from the Select Normalization Policy dropdown or select a Normalizer from the list and click the swap(
) icon.
In enrichment, you can select an enrichment policy for the incoming logs. Enrichment policies are used to add additional information to a log, such as user information, device type or geolocation, before analyzing it.
Click Enrichment.
Select an Enrichment Policy.
Click Create Log Source to save the configurations of Source, Connector, Endpoints, Routing, Normalization and Enrichment.
Go to Settings >> System Settings from the navigation bar and click Plugins.
Find Duo Security and click Manage.
Enable Configure Duo Security Settings.
Select Traditional Prompt (V1) or Universal Prompt (V2). Go to Configuring Multi Factor Authentication to learn how to configure users created using Traditional Prompt (V1). Note that Duo Security only supports Universal Prompt (V2) for new users.
Enter the Client Id, the Client Secret and the API Hostname. Go to Appendix for information on obtaining the Client Id, Client Secret and API Hostname.
Select an Authentication behavior when Duo Security is unavailable.
6.1. Select Let users login to allow login even if the secondary authentication device is unavailable.
6.2. Select Do not let users login to restrict login if the secondary authentication device is unavailable.
Enter the Connection Timeout (in seconds) that is the maximum time limit to complete the authentication.
Configuring Duo Security¶
Click Save.
Date/Time Patterns
Date Type |
Format |
Example |
|---|---|---|
UTC |
%Y-%m-%dT%H:%M:%SZ |
2023-04-27T07:18:52Z |
ISO-8601 |
%Y-%m-%dT%H:%M:%S%z |
2023-04-27T07:18:52+0000 |
RFC 2822 |
%a, %d %b %Y %H:%M:%S %z |
Thu, 27 Apr 2023 07:18:52 +0000 |
RFC 850 |
%A, %d-%b-%y %H:%M:%S UTC |
Thursday, 27-Apr-23 07:18:52 UTC |
RFC 1036 |
%a, %d %b %y %H:%M:%S %z |
Thu, 27 Apr 23 07:18:52 +0000 |
RFC 1123 |
%a, %d %b %Y %H:%M:%S %z |
Thu, 27 Apr 2023 07:18:52 +0000 |
RFC 822 |
%a, %d %b %y %H:%M:%S %z |
Thu, 27 Apr 23 07:18:52 +0000 |
RFC 3339 |
%Y-%m-%dT%H:%M:%S%z |
2023-04-27T07:18:52+00:00 |
ATOM |
%Y-%m-%dT%H:%M:%S%z |
2023-04-27T07:18:52+00:00 |
COOKIE |
%A, %d-%b-%Y %H:%M:%S UTC |
Thursday, 27-Apr-2023 07:18:52 UTC |
RSS |
%a, %d %b %Y %H:%M:%S %z |
Thu, 27 Apr 2023 07:18:52 +0000 |
W3C |
%Y-%m-%dT%H:%M:%S%z |
2023-04-27T07:18:52+00:00 |
YYYY-DD-MM HH:MM:SS |
%Y-%d-%m %H:%M:%S |
2023-27-04 07:18:52 |
YYYY-DD-MM HH:MM:SS am/pm |
%Y-%d-%m %I:%M:%S %p |
2023-27-04 07:18:52 AM |
DD-MM-YYYY HH:MM:SS |
%d-%m-%Y %H:%M:%S |
27-04-2023 07:18:52 |
MM-DD-YYYY HH:MM:SS |
%m-%d-%Y %H:%M:%S |
04-27-2023 07:18:52 |